View Permissions of a User in the Console
In the Console, already for many version of the Bloomreach Experience Manager there has been the [View Permissions] menu item:
It used to show the permissions for the currently logged in user in the Console on a specific JCR Node in the repository.
Before Bloomreach Experience Manager 14.0.0, the Permissions Dialog was only limited useful since it
- could only show the permissions for the currently logged in Console user which in general is an admin
- did not show where the permissions come from
With Bloomreach Experience Manager 14.0.0, the Permissions Dialog has been revamped and made a very great tool to help testing when creating custom Security Domains for specific groups or users. It now also shows
- the permissions (privileges) on a JCR Node including the path to the Security Domain providing the spefic privilege
- all the Userroles a user has
- a search box in which you can enter any user id and see the permissions for that specific user on the JCR Node
View Permissions Dialog
When being logged in as admin in the Console and then navigate to, say /content/documents/myproject/blog/2019/11/first-blog-post/first-blog-post, and then click the [View Permissions] menu item opens a dialog something like this:
In this dialog you see
- in the top grey bar the path of the JCR Node for which the permissions are checked
- in the search box the username for which the permissions are checked
- user information containing the memberships (groups) the user belongs to and all the Userroles the user has.
- Permissions allowed on the node separated in JCR Session Actions and Privileges
Explanation of the View Permissions
In the username search box the user for whom the permissions are checked is shown. By typing a diffent user(id) and clicking [find user], the information for that user is shown (or an error message in case the user(id) does not exist).
Memberships shows all the groups the user is member of
Show all the Userroles the user has. Mind you that these are all the Userroles for the user regardless of which JCR Node was selected to view the permissions for
Actions shows the JCR Spec Permissions , see 16.6.2 Permissions in JCR 283. Advice is not to pay attention to Actions since they are very confusing and hard to understand. Instead, looking at the Privileges is much easier and easier to understand
Privileges show all the privileges the user has on the JCR Node that was selected when opening the View Permissions Dialog. Per privilege it also shows which Security Domain contributed to that privilege. If multiple domains contribute the same privilege on the JCR Node, all those domains are shown
Example View Permissions Author
When having the View Permissions Dialog open as depicted above, and then choosing author (available user in the local archetype development data), the dialog looks as follows:
Above can be seen that the author user has privilege hippo:author on /content/documents/myproject/blog/2019/11/first-blog-post/first-blog-post providing that user the author workflow role on the node, and that it has jcr:read, providing the necessary read access for the author.
Special Case: Implicit Read Access
The Security Domains documentation has a section for Implicit Read Access to Ancestors. The read on these ancestors however we cannot easily contribute to a specific Security Domain, hence in that case, you can get the Action read or the Privilege jcr:read without a specification which domain contributed to the privilege.